Risk analysis and mitigation

Introduction

Laymen explanation

If you are designing a new web software, you might be worried of hearing about hacking of the website. You may want to not allow illegal access to website, not allow virus to affect your machine. Virus handling is done at machine level. But illegal access prevention needs to be taken care of by the website software design. What if user is able to get sensitive info about user? What is attacker is able to make your website slow or unresponsive? How many such kind of attacks possible? To know this, we need to perform security risk associated with our software.

Technical explanation

Risk mitigation approach

• Assume/Accept: Acknowledge the existence of a particular risk, and make a deliberate decision to accept it without engaging in special efforts to control it. Approval of project or program leaders is required.

• Avoid: Adjust program requirements or constraints to eliminate or reduce the risk. This adjustment could be accommodated by a change in funding, schedule, or technical requirements.

• Control: Implement actions to minimize the impact or likelihood of the risk.

• Transfer: Reassign organizational accountability, responsibility, and authority to another stakeholder willing to accept the risk.

• Watch/Monitor: Monitor the environment for changes that affect the nature and/or the impact of the risk.

Risk management phases

• 1. Asset identification - This talks about company assets which are at stack. It includes reputation, IT infra, customer/partner/employee relationships as example

     1. How to gather asset information (survey, interviews)

     2. Who will have master copy

     3. How to record the asset info. It can simple spreadsheet or complex graph. Criteria is that company wide people should be able to understand it

1. Risk analysis

   1. 1. Data criticality. For example, credit card info is critical info for customer and company reputation.

         1. For what purposes, data is used

         2. Consequence of data compromised

      2. Application criticality. It considers about risk impact associated to application compromise. Following info helps to arrive at this

• • • 1. What are interfaces to application

      2. Architecture - Where application is deployed, any AAA need?

2. Risk mitigation

• 1. Access control. It includes Identity recording, user friendly access methods, delegation option to facilitate action in case admin in on leave

     1. Handling data in transit

        1. Privacy

        2. Integrity

  2. Host lockdown - It talks about host OS security strengthening

3. Risk monitoring - It includes continuous monitoring of security logs. This helps to know about

• • 1. Low likely risk has occurred

    2. There is a need to reevaluate security posture since the way the asset, uses, threats changes.

Type of attacks

• Perimeter attack

  • • Such attackers knows about tool like viruses, worms. But they don't know about application software. They will inject malicious software and let it act. To mitigate such attacks, we need firewall.

• • Internal attack

    • Attacks by insiders of the company

    • Insiders bring external threat to internal. For example, an employee downloading malicious software unknowingly.

Sources of risks

• • Malware

  • Third party software

    • For example, vulnerability with JRE, high privileged apps

Risk analysis matrix

Reference

https://www.mitre.org/publications/systems-engineering-guide/acquisition-systems-engineering/risk-management/risk-mitigation-planning-implementation-and-progress-monitoring